Yesterday, the Ninth Circuit released its opinion in United States v. Mohamud – a case I described back in January 2015 as a “top national security” case to watch in the coming year. Bottom line: The court rejects Mohamed’s challenge to the constitutionality of 702 surveillance (so-named that based on the numbering of the statute that authorized it). The court concludes that the government did not need a warrant when it incidentally collected the communications of Mohamed, a U.S. citizen, in the course of targeting a non-citizen located outside the United States for foreign intelligence reasons. And it rules that, given the facts of the case, the surveillance was reasonable. Mohamed’s life sentence for the attempted detonation of a Portland courthouse (in violation of 18 U.S.C. § 2332a(a)(2)(A)) is affirmed.

There is likely more to say about the opinion in coming days. But three quick points worth emphasizing:

First, the court was careful to emphasize that it was ruling “in the particular facts of the case” only, thus leaving open the possibility of future challenges based on a different set of facts. And it explicitly distinguished the facts of Mohamed’s case, which appears to have involved collection pursuant to PRISM, from two other fact patterns: (i) the use of so-called “upstream collection;” and (2) situations in which incidentally acquired information been retained in some database and then later queried by FBI agents. This second distinction is particularly important. As Steve Vladeck and I argue in a forthcoming book chapter, subsequent law enforcement queries of the 702 database should be understood as distinct Fourth Amendment incident that need to, at a minimum, satisfy the reasonableness test. The Ninth Circuit has not only left the issue open, but nodded to the fact that the analysis is different if the case had involved a subsequent database search.

Second, although the court rejects a constitutional challenge based on the volume of incidental collection about those (like Mohamud) that have Fourth Amendment rights, it does find the scope of such anticipated, incidental collection “troubling.” And it emphasizes the importance of effective minimization procedures – a point with which I could not agree with more.

The Ninth Circuit also raises questions about the sufficiency of the internal oversight mechanisms over the targeting and minimization procedures that are in place. In the court’s words, “[w]here the only judicial review comes in the form of the FISC reviewing the adequacy of procedures, this type of internal oversight [via executive branch certification] that targeting and minimization requirements are being complied with] does not provide a robust safeguard.”

Third, the court relies on the third party doctrine to conclude that individuals (including U.S. citizens) have a “limited” expectation of privacy in emails and other communications shared and received by others. (In so doing, the court implicitly disagreed with a governmental argument, from an earlier round of briefing, that U.S. persons lacked any privacy interests vis a vis the US government in emails communicated with foreign targets (see p. 48 here) –an argument that DOJ itself backed away from in subsequent briefing.) But exactly how diminished? And with respect to collection only, or collection and all subsequent uses? The court didn’t say. Congress should step in and clarify. The idea that if a US person communicates with a foreign friend or business partner, he or she no longer has a privacy interest (or at least not much of one) in how that information is either collected or used is disturbing. And presumably that’s not what the court meant. Or it wouldn’t have separately raised questions about the minimization requirements or suggested that the analysis would be different if the case involved subsequent FBI querying of 702 databases for US person information.